Effective date: 17 June 2025 · Last updated: 17 June 2025
This policy applies to The Waffle Bar Athens and the website at which it is published. We are committed to protecting your personal data and complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Greek data protection law.
1. Who We Are
The data controller responsible for your personal data is:
- Business name: The Waffle Bar Athens
- Location: Athens, Attica, Greece
- Email: thewafflebarath@gmail.com
- WhatsApp / Phone: +30 698 862 8060
As the data controller, we determine the purposes and means of processing your personal data. If you have any questions about this policy or your data, please contact us using the details above.
2. Information We Collect
We collect personal data only when you actively provide it to us through our contact and booking form, or when it is generated automatically as part of normal website operation.
Information you provide directly
- First name and last name
- Email address
- Phone number or WhatsApp number
- Preferred event date
- Event location
- Number of guests
- Package preference (e.g. Single Maker, Double Trouble, VIP Experience, Custom Made)
- Order customisation details (waffle batter, toppings, service type)
- Any additional notes or special requests you include in your message
Information collected automatically
- IP address and approximate geographic location (country / city level)
- Browser type and version
- Operating system
- Pages visited and time spent on the website
- Referring URL (the page that linked you to our site)
- Cookie data (see Section 5)
We do not collect sensitive personal data (special category data) as defined under Article 9 GDPR, such as health data, political opinions, or biometric data.
3. How We Use Your Information
We use the personal data we collect for the following purposes:
| Purpose | Data used |
|---|---|
| Respond to your booking enquiry or general question | Name, email, phone, message |
| Prepare and confirm event bookings | Name, email, phone, event date, location, guest count, package, customisation |
| Send booking confirmations and follow-up communications | Name, email, phone |
| Improve the website and our services | Anonymised analytics data |
| Comply with legal obligations (e.g. tax, accounting records) | Name, contact details, booking details |
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
4. Legal Basis for Processing
Under Article 6 of the GDPR, we rely on the following legal bases to process your personal data:
Performance of a contract (Article 6(1)(b))
When you submit a booking enquiry, we process your data because it is necessary to take steps at your request prior to entering into a contract for our catering services, and to perform that contract once confirmed.
Legitimate interests (Article 6(1)(f))
We process limited data for our legitimate interests in improving our website and understanding how visitors use it, provided those interests are not overridden by your rights. We carry out a balancing test before relying on this basis and use anonymised or aggregated data wherever possible.
Legal obligation (Article 6(1)(c))
In some cases we are required by Greek or EU law to retain certain records (for example, for VAT and accounting purposes). We process data to the extent required by those obligations.
Consent (Article 6(1)(a))
Where we use non-essential cookies or analytics tools, we rely on your consent, which you may withdraw at any time (see Section 5). We do not use consent as the legal basis for processing booking enquiries — that is covered by contract performance above.
5. Cookies & Analytics
Cookies are small text files placed on your device when you visit our website. We use cookies for the following purposes:
Essential cookies
These cookies are strictly necessary for the website to function. They do not collect personal data and cannot be switched off. No consent is required for these cookies.
Analytics cookies
We may use analytics tools (such as Google Analytics or similar services) to understand how visitors interact with our website — for example, which pages are most visited, how long visitors stay, and where they arrive from. Analytics data is aggregated and anonymised where possible.
Analytics cookies are only placed with your consent. You may decline analytics cookies without affecting your ability to use our website.
Managing cookies
You can control and delete cookies through your browser settings. Please note that disabling cookies may affect the functionality of certain parts of our website. For more information, visit allaboutcookies.org.
6. Third-Party Services
We use carefully selected third-party services to operate our website and process your data. These services act as data processors on our behalf and are contractually bound to handle your data securely and only for the purposes we specify.
Web3Forms
Our contact and booking form is processed by Web3Forms (web3forms.com), a form submission service. When you submit our form, your data is transmitted securely to Web3Forms, which delivers the submission to us via email. Web3Forms does not use your data for its own purposes and does not store it beyond the time required to deliver it.
Please review Web3Forms' own privacy policy for full details of their data handling practices.
Google Fonts
Our website loads fonts from Google Fonts (fonts.google.com). This may result in your IP address being transmitted to Google servers. Google Fonts serves fonts without associating the request with any Google account or building user profiles.
Flatpickr
Our date picker is powered by Flatpickr, an open-source JavaScript library loaded from jsDelivr (jsdelivr.com). Loading this library may result in your IP address being transmitted to jsDelivr's servers for the purpose of delivering the file.
Our website may provide links to contact us via WhatsApp. If you choose to use this channel, your communication will be subject to WhatsApp's own privacy policy. We do not control WhatsApp's data processing.
Hosting provider
Our website is hosted by a third-party hosting provider. Your IP address and certain technical data are processed by our hosting provider as part of normal website operation. Our hosting provider acts as a data processor and is bound by a data processing agreement.
7. Data Retention
We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.
| Data type | Retention period | Reason |
|---|---|---|
| Booking enquiry data (name, email, phone, event details) | Up to 2 years from your last contact with us | Business relationship management; legitimate interest in following up on enquiries |
| Confirmed booking records | 5 years from the date of the event | Legal and accounting obligations under Greek tax law |
| Email correspondence | 2 years from last communication | Legitimate interest in resolving any potential disputes |
| Analytics data | Up to 26 months (or per provider's retention settings) | Website improvement; anonymised/aggregated where possible |
| Server / access logs | Up to 90 days | Security monitoring and technical diagnosis |
When your data is no longer required, we will securely delete or anonymise it. Where we are unable to delete data immediately (for example, because it is stored in backup systems), we will ensure it is isolated and protected from further processing until deletion is possible.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights in relation to your personal data. You may exercise any of these rights by contacting us at thewafflebarath@gmail.com. We will respond within 30 days.
Hellenic Data Protection Authority (HDPA)
Kifissias 1–3, 115 23 Athens, Greece
Website: www.dpa.gr · Email: contact@dpa.gr · Phone: +30 210 6475 600
There is no charge for making a data rights request. We may ask you to verify your identity before responding to ensure we do not disclose your data to an unauthorised person.
9. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- Transmission of form data over encrypted HTTPS connections (TLS)
- Use of reputable, vetted third-party processors with their own security standards
- Limiting access to personal data to those who genuinely need it for business purposes
- Keeping our website software and dependencies up to date
While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is 100% secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the HDPA within 72 hours as required by Article 33 GDPR, and will notify you directly if the breach is likely to result in a high risk to you.
10. International Transfers
Our website is primarily intended for customers in Greece and the European Union. Some of our third-party service providers (for example, hosting or analytics providers) may process data on servers located outside the European Economic Area (EEA).
Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR. These safeguards may include the European Commission's Standard Contractual Clauses (SCCs) or reliance on an adequacy decision by the European Commission.
11. Children's Privacy
Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. Our event catering services are intended for adult event organisers.
If you believe we have inadvertently collected personal data from a child under 16, please contact us immediately at thewafflebarath@gmail.com and we will promptly delete the data.
12. Links to Other Websites
Our website may contain links to external websites, including our social media profiles (Instagram, etc.) and third-party service providers. This Privacy Policy applies only to our website. We have no control over and accept no responsibility for the privacy practices of third-party websites. We encourage you to read the privacy policy of any external site you visit.
13. Contact Us About Your Data
If you have any questions about this Privacy Policy, wish to exercise any of your data rights, or have a concern about how we are handling your personal data, please contact us:
- Email: thewafflebarath@gmail.com
- WhatsApp / Phone: +30 698 862 8060
- Business location: Athens, Attica, Greece
We aim to respond to all data rights requests and privacy queries within 30 calendar days. If your request is complex or you have made a large number of requests, we may extend this by a further two months — we will inform you of any extension within the first 30 days.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page.
We encourage you to review this page periodically. Continued use of our website after changes are posted constitutes your acknowledgement of the updated policy. Where required by law, we will seek your consent for significant changes.
This Privacy Policy was last reviewed and updated on 17 June 2025.
If you have questions, email us at thewafflebarath@gmail.com